ZTE Chief Legal Officer
Economic globalisation brings companies from around the world into closer interaction with the open international market. When expanding their overseas presence, multinational companies need to comply with the applicable laws and regulations, which may bring risks and challenges to their business. By developing a risk-oriented compliance management system after they have established a management-oriented compliance management system, multinational companies are able to put risk governance to the front of their business operations. This helps them avoid having to blindly comply with laws and regulations, and also prevents compliance risk by letting them flexibly adapt to the dynamic external environment whilst maintaining sound operations and pursuing sustainable development.
In 2019, through the concerted efforts of its employees, ZTE made steady progress in compliance and achieved desirable results. The company has reshaped its compliance system from concept to construction, and smoothly undergone transition from a recovery to a growth phase. In terms of export control compliance, the company further incorporated compliance processes into its business, It expanded the functions of its Global Trade System (GTS) and Export Control Classification Number (ECCN) systems to improve automated compliance management, optimise its export compliance system, and increase its partners' confidence in the company's export compliance ability. In the field of anti-bribery compliance, ZTE has continuously enhanced the effectiveness of its compliance management system by fully integrating compliance requirements into its business activities. Last year, the company was ranked among the FTSE4Good Index Series for the second consecutive year, with a full-score rating for its anti-corruption efforts and leading the average value of Chinese enterprises and global telecommunications equipment suppliers. Regarding data protection compliance, ZTE has incorporated the relevant compliance requirements into product design, service delivery, and the management of internal control activities; established a corporate-level compliance system that meets the General Data Protection Regulation (GDPR) requirements and made particular compliance efforts in key business areas and countries, innovatively integrating compliance requirements into business operations. In addition, the company held the first 2019 ZTE Multinational Corporation Trade Compliance Symposium, attended by nearly 500 people, to promote a compliance-based business environment and fulfil its corporate social responsibility.
During the early stage of building its compliance system, ZTE established a management-oriented compliance model. This focused on the eight elements of compliance system building, adopted the Plan–Do–Check–Act (PDCA) method into the compliance work and created a double-cycle model of business and management. This model constitutes the core elements of ZTE's current entire compliance management system, namely: the formulation of reasonable rules, comprehensive training, resolute execution, and effective inspection.
For a company in the initial stage of building a compliance system, the above management-oriented approach has its merits: it centralises the company's resources to rapidly and fully build a top-down compliance system and ensures effective implementation. Nevertheless, although the back-end compliance risk management approach can ensure consistency in compliance efforts, the implementation of compliance-related policies usually faces the issues of inflexible execution and low efficiency and thus fails to meet the compliance requirements of varying business scenarios in actual business operation. When the compliance system-build enters each new stage, the company needs to quickly and urgently increase the identification of any underlying compliance risk in all business units. To assist with this, the company's staff should guard against compliance risks in real time by fully understanding the features of operational activities and identifying the corresponding potential risks. In such way, the company can build a risk-oriented compliance management system to prevent risks and make substantive progress in compliance management.
The risk-oriented compliance management system, guided by risk identification and using compliance management as a tool, meets the deep integration of compliance and business with the construction of a top-down compliance system and further incorporating scenario-based and instance-based compliance instructions. Guided by the risk prevention approach, business units fully identify the compliance risks in their business activities and formulate business-specific compliance rules within the framework of the corporate-level compliance rules based on the operating risk preference.
ZTE has proposed the following six steps for building a risk-oriented compliance management system:
1. Establish and Continuously Improve the Compliance Rules System
Compliance essentially means complying with the laws and regulations. In terms of the formulation of compliance rules, a company should not only translate the external laws and regulations into the internal compliance management regulations, but also formulate rules combined with the company's risk preference based on vague external laws and regulations to further refine management regulations. Therefore, the company should specify in internal regulations which are the requirements of external laws and regulations, which are the choices of the company's risk preference, and which are the further detailed management of enterprises based on vague laws and regulations. In short, the very first step in establishing a risk-oriented compliance management system is to determine the sources of compliance rules.
For example, in terms of export control compliance, the U.S. Export Administration Regulations (EAR) do not prohibit cooperation with sanctioned countries or regions. But in the ZTE Global Compliance Manuals for Export Controls and Economic Sanctions, the company prohibits any business with parties of sanctioned countries or regions. The internal rule, stricter than that of the EAR, was formulated by ZTE's further refinement of compliance management requirements based on risk preference.
Moreover, a sound compliance rule system needs to match the company's organisational structure and the compliance skill requirements of all business units. According to ZTE's pyramidal three-level compliance rule system, the company's Board of Directors determines the company's operating policy (the risk preference of the company's current operation) ,clarifies the red line that the company needs to comply with, and forms the first level of the pyramid's structure. Based on the requirements of external laws and regulations, ZTE's compliance Center of Expertise (COE) take into account the company's policies to formulate corporate-level compliance manuals, shaping the second level of the pyramid. In light of actual business activities, business unit (BU) compliance managers implement the requirements of the manual into each specific business scenario to form the compliance instructions in each area, which is the third level and top of the pyramid. By advancing the construction of a three-level pyramid compliance rule system, ZTE has effectively translated the requirements of external laws and regulations into its internal compliance management regulations in combination with the company's risk preference. The company established a compliance rule system from policy, to procedure, and to instruction, with distinct gradation and mutual citations.
2. Sort out compliance control points step by step based on the rule system
Based on its pyramid compliance rule system, ZTE has established a three-level management system, which in descending order, comprises general control based on laws and regulations, field-related control based on compliance manuals, and business-related control based on guidelines. Through identifying Key Control Points (KCPs) for compliance in business activities, the company avoids the issue of presenting staff with lengthy and hardly readable rules and turns compliance management requirements into business management rules. It also issues a Compliance KCPs Panorama to staff to help them understand the specific KCPs for their own business, the processes that must be followed, and the potential risks. Moreover, the company incorporates these KCPs into digital and IT-based processes, and controls those acts that may cause compliance risks, ensuring effective control over compliance risks in business processes with minimum management costs yet maximum efficiency.
3. Rank the level and priority of rule compliance by risk assessment
By combining the compliance rules that the company needs to follow and the business activities of the business units, ZTE conducts risk assessments on all its business processes and implements graded compliance management to prevent risks. Specifically, the company ranks each segment by its adherence to rules regarding the order of priority for compliance control based on an assessment of the probability and possible impacts of compliance risks. This helps units prevent risks based on the compliance control points for specific business processes. This graded management approach also lays down a methodological foundation for both regular and spot-checks.
4. Carry out targeted compliance training
By following the previous three steps, the company determines the contents and trainees for compliance training based on the dimensions of business unit-based posts and business scenario-based compliance control points corresponding to different process owners, thereby providing precise compliance training. ZTE innovatively created the “1+N” training mode, where “1” refers to post-based training and “N” means training for multiple scenarios. Such tailored compliance training enables all the staff members taking key compliance posts to identify and fulfil their responsibilities and provides guidance on how to solve compliance issues in varying scenarios.
5. Conduct regular and spot checks
After identifying checkpoints for compliance control points and forming corresponding checklists, the company forms its own compliance check methodology, It requires self-inspection by business units, spot checks by BU compliance teams, and other activities for recognising and removing deficiencies. These guarantee the effective implementation of compliance rules and compliance control points, help identify the processes not covered by the existing rules and any remaining issues in the processes, as well as optimise the rules accordingly, ultimately improving the company's compliance system.
6. Conduct independent audits
Audit work refers to an independent review of a company's compliance efforts. In this step, a business performs company-wide independent audits to ensure compliance with the rules and KCP requirements formed during the previous first and second steps, and it also reviews the audit results. After conducting independent audits and checking the audit results of those business units that have passed regular and spot checks with relatively mature compliance measures, the company publicises its practices so that other units can follow suit. It also applies the checked results to the appraisal of operational performance, promoting business units to proactively engage in the building of the compliance system through the delivery of targeted training and implementation of the compliance control points. This enables the company to further identify risks and improve its capability for managing the compliance system.
As the last step in completing a closed-loop compliance management system, a thorough audit is able to identify deeper, front-line problems that can hardly be identified through single or multiple control points based regular or spot checks. This contributes to the improvement and dynamic adjustment of the compliance system and meets the requirements of the company's operation.
By following the above six steps for compliance management, the company has upgraded its back-end compliance risk management to front-end compliance risk governance. It avoids the chance of major compliance operational risks occurring from front-end business activities, which is a fundamental change from passive responses to risks or emergencies. Moreover, through compliance management, the company not only controls risks, but also removes flaws in its business processes and takes corporate governance to a higher level to maintain business continuity and enhance market competitiveness.
In summary, the risk-oriented compliance management system stimulates review of operational activities in terms of how to prevent risks; helps form the underlying methodology for compliance-based operations and motivates the people responsible for operational activities to pursue compliance, enabling them to identify the dos and don'ts when conducting activities. In such way, compliance management is fully integrated into operational management with more effective resource investment to ensure business sustainability is underpinned by a compliance-based operation.
ZTE is committed on an ongoing basis to working with its partners to build a compliance-based market environment with high levels of business sustainability and high rates of growth, where the ultimate vision of compliance creating value can be achieved.